Run Kubescape with host sensor (see here)
cis-aks-t1.2.0, cis-eks-t1.2.0, cis-v1.23-t1.0.1
It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data.
Security relevant information should be captured. The
--event-qps flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of
0 could result in a denial of service on the kubelet.
Run the following command on each node:
ps -ef | grep kubelet
Review the value set for the
--event-qps argument and determine whether this has been set to an appropriate level for the cluster. The value of
0 can be used to ensure that all events are captured.
--event-qps argument does not exist, check that there is a Kubelet config file specified by
--config and review the value in this location.
If using a Kubelet config file, edit the file to set
eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
Setting this parameter to
0 could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads.
--event-qps argument is set to
Updated 6 days ago